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[Document Name] Specffication 
u |Title of the Invention] Mobile Communication Network System And Mobile 
Communication Method 
[Claims] 

[Claim 1] 

A mobile communication network system that comprises a mobile 
communication network, a plurality of external networks, a plurality of mobile 
terminals, a plurality of gateways, and a plurality of access points, wherein said 
external networks and said mobile communication network are connected by said 
gateways, and said mobile terminals are connected to said mobile 
communication network by said access points, said system characterized in that 

when packets are transmitted and received between said mobile terminals 
in said mobile communication network, the packets are communicated by way of 
virtual networks that are provided to correspond to each of said external 
networks on said mobile communication network, without passing said external 
networks. 

[Claim 2] 

A mobile communication network system that comprises a mobile 
communication network, a plurality of external networks, a plurality of mobile 
terminals, a plurality of gateways, and a plurality of access points, wherein said 
external networks and said mobile communication network are connected by said 
gateways, and said mobile terminals are connected to said mobile 
communication network by said access points, said system characterized in that 

said mobile communication network is provided with means for offering 
virtual networks that correspond to each said external network, 

said gateways are provided with means for connecting said external 
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' networks to corresponding said virtual networks, 

said mobile terminals are provided with means for setting sessions with 
said access points for any of said external networks, 

said access points are provided with means for transferring packets that 
have been received from any of said sessions to a virtual network that has been 
prepared for an external network that corresponds to that session, 

said access points are provided with means for transferring packets, which 
have been received from said virtual network that corresponds to any external 
network, to a session that has been set for said external network by said mobile 
terminal that is the destination of these packets, and 

private leased line connections are provided between said mobile 
terminals and said external networks, and when transmission or reception of 
packets is realized between said mobile terminals in said mobile communication 
network, the packets are communicated by way of virtual networks that are 
provided to correspond to each of said external networks on said mobile 
communication network. 

[Claim 3] 

A mobile communication network system as claimed in claim 2, 
characterized in that 

when said mobile terminal is to be handed over from a current access 
point to which it is currently connected to a new access point, said current access 
point is provided with means for transferring information of all sessions that said 
mobile terminal has set to said new access point, and 

said private leased line connection between said mobile terminal and said 
external network can be continued without interruption when said mobile terminal 
implements handover. 
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[Claim 4] 

A mobile communication network system as claimed in claim 2, 
characterized in that 

when said mobile terminal is to be handed over from a current access 
point to which it is currently connected to a new access point, said new access 
point is provided with means for acquiring information of all sessions that said 
mobile terminal has set from said current access point, and 

said private leased line connection between said mobile terminal and said 
external network can be continued without interruption when said mobile terminal 
implements handover. 

[Claim 5] 

A mobile communication network system as claimed in any one of claims 
2 to 4, characterized in that 

a mobility management node is arranged within said mobile 
communication network, 

said mobility management node comprises a plurality of virtual mobility 
management nodes that are prepared for each of said external networks, 

each of said virtual mobility management nodes is provided with means 
for transmitting and receiving packets only with a said virtual network that has 
been prepared for use by a corresponding external network, 

said mobile terminals is provided with means for reporting positional 
information to said virtual mobility management node that corresponds to said 
external network to which the mobile terminal is to be connected, 

each of said virtual mobility management nodes is further provided with 
means for holding positional information that has been reported from said mobile 
terminals and means for, when packets that are addressed to said mobile 
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terminals are received, transferring these packets to positions that have been 
reported from said mobile terminals, and 

said virtual networks, that are prepared to correspond to each of said 
external networks on said mobile communication network, manages the position 
of said mobile terminals. 

[Claim 6] 

A mobile communication network system as claimed in any one of claims 
2 to 5, characterized in that 

said mobile communication network comprises a control/management 
virtual network, 

said mobile communication network further comprises a means for 
transmitting and receiving, by way of said control/management virtual network, 
packets for control and management that are exchanged between nodes that are 
arranged within said mobile communication network and that include said access 
points and said mobility management nodes; and means for refusing packets for 
control and management that have been received from sources other than said 
control/management virtual network, and 

the security of the communication among nodes arranged within said 
mobile communication network is ensured. 

[Claim 7] 

A mobile communication method in a mobile communication network 
comprises a mobile communication network, a plurality of external networks, a 
plurality of mobile terminals, a plurality of gateways, and a plurality of access 
points, wherein said external networks and said mobile communication network 
are connected by said gateways, and said mobile terminals are connected to 
said mobile communication network by said access points, said method 
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characterized in that 

a said mobile terminal sets a session for any of said external networks 
with said access point, 

a said access point transfers packets that have been received from any 
said session to a virtual network that has been prepared for each of said external 
networks that corresponds to the session, 

said access point transfers packets that have been received from said 
virtual network that corresponds to any external network to the session that has 
been set for use of said external network by said mobile terminal that is the 
destination of the packets, and 

private leased line connections are provided between said mobile 
terminals and said external networks, and when transmission or reception of 
packets is realized between said mobile terminals, the packets are 
communicated by way of virtual networks that are provided to correspond to each 
of said external networks on said mobile communication network. 

[Claim 8] 

A mobile communication method as claimed in claim 7, characterized in 

that 

when said mobile terminal is to be handed over from a current access 
point to which it is currently connected to a new access point, said current access 
point transfers information of all sessions that said mobile terminal has set to said 
new access point. 

[Claim 9] 

A mobile communication method as claimed in claim 7, characterized in 

that 

when said mobile terminal is to be handed over from a current access 
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point to which it is currently connected to a new access point, said new access 
point acquires information of all sessions that said mobile terminal has set from 
said current access point. 
[Claim 10] 

A mobile communication method as claimed in any one of claims 7 to 9, 
characterized in that 

a mobility management node that is arranged within said mobile 
communication network comprises a plurality of virtual mobility management 
nodes that are prepared for each of said external networks, 

each of said virtual mobility management nodes transmits and receives 
packets only with a said virtual network that has been prepared for use by a 
corresponding external network, 

said mobile terminals report positional information to said virtual mobility 
management node that corresponds to said external network to which the mobile 
terminal is to be connected, 

each of said virtual mobility management nodes holds positional 
information that has been reported from said mobile terminals and, when packets 
that are addressed to said mobile terminals are received, transfers these packets 
to positions that have been reported from said mobile terminals, and 

said virtual networks, that are prepared to correspond to each of said 
external networks on said mobile communication network, manages the position 
of said mobile terminals. 
[Claim 11] 

A mobile communication method as claimed in any one of claims 7 to 10, 
characterized in that 

said mobile communication network comprises a control/management 
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virtual network, 

said mobile communication network transmits and receives, by way of 
said control/management virtual network, packets for control and management 
that are exchanged between nodes that are arranged within said mobile 
communication network and that include said access points and said mobility 
management nodes; and refuse packets for control and management that have 
been received from sources other than said control/management virtual network, 
and 

the security of the communication among nodes arranged within said 
mobile communication network is ensured 
[Detailed Description of the Invention] 

[0001] 

[Field of the Invention] 

The present invention relates to a mobile communication network system 
and to a mobile communication method, and more particularly to mobile 
communication network system and a mobile communication method in which a 
mobile communication network provides a private leased line connection 
capability between external networks and mobile terminals. 

[0002] 

[Description of the Related Art] 

Prior art in which a mobile communication network provides a private 
leased line connection capability between external networks and mobile 
terminals includes GPRS (General Packet Radio Service), which is a mobile 
communication technology presented by the ETSI (European 
Telecommunications Standards Institute) and 3GPP (Third-Generation 
Partnership Project). GPRS both supports movement of terminals and provides 
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private leased line connection capabilities for connecting mobile terminals to 
specific external networks. 
[0003] 

In addition, a mobile control technology that has been developed by IETF 
(Internet Engineering Task Force) includes Mobile IP (RFC2002) and a private 
network technology that includes IPSEC. A combination of these technologies 
supports the movement of terminals and can realize private leased line 
connections between mobile terminals and external networks. 

[0004] 

Still further, technology proposals exist for using a virtual private network 
technology in a core network of a mobile communication network for connecting 
mobile terminals to external networks, one example being disclosed in 

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/itsolutions/n 
etwork/deploy/depovg/ieee802.asp. 

[0005] 

[Problem to Be Solved by the Invention] 

However, the above-described technology has various problems as 
described hereinbelow. 
[0006] 

In the above-described GPRS, tunnels are set between mobile terminals 
and the gateways with external networks, and all communication is realized by 
way of these tunnels. When communication is implemented between mobile 
terminals, packets transmitted by the mobile terminals are transmitted to the 
gateways with the external networks by way of the tunnels, and then again 
returned to the mobile terminals of the communication partners from the 
gateways with the external networks by way of the tunnels. 



8 



from mwnmPfmffi 



2009* 3J317B (*) 11 :45/SHl 1 : 4 3/SSS34 8 0 1 505094 P 12 



[0007] 

As a result, the technology of the prior art suffers from such problems as 
the considerable delay of the packets and the poor efficiency of circuit use due to 
wasted bandwidth within the mobile communication network. 

[0008] 

In addition, there is also the problem of wasted bandwidth within the 
network and the poor efficiency of circuit use when implementing multicast 
communication to a plurality of mobile terminals, because the multicast packets 
are copied and transmitted for each tunnel of a mobile terminal at the gateway 
with an external network. 

[0009] 

On the other hand, in the case of an IP based mobile communication 
network that employs Mobile IP and IPSEC, it is assumed that the mobile 
network and external networks are the IP network. The movement of terminals in 
this flat IP network is supported by Mobile IP. To further provide a private leased 
line connection capability, gateways are arranged between the mobile 
communication network and external networks, and tunnels are set between 
mobile terminals and the gateways by means of IPSEC. 

[0010] 

Thus, when a private leased line connection capability is offered in an IP 
based mobile communication network that uses Mobile IP and IPSEC, all 
packets are exchanged by way of tunnels, and the same problems therefore 
occur in this configuration as occur in GPRS. 

[0011] 

As a different configuration, when realizing communication between 
mobile terminals, it is also possible to directly set IPSEC tunnels between mobile 
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terminals without implementing return communication by way of gateways. This 
configuration, however, provides no solution for the problems encountered in 
multicast communication. There is also the problem that management of tunnels 
becomes problematic when there are numerous communication partner mobile 
terminals. 

[0012] 

In addition, in an IP based mobile communication network that uses 
Mobile IP and IPSEC, nodes in the mobile communication network can be freely 
accessed from the outside, and a security function is therefore necessary. For 
example, when realizing handover between access points, packets for handover 
requests and handover notifications between access points must be 
authenticated, and as a result, a security association must be established in 
advance for implementing authentication between access points. Such a method 
suffers from the problem that the management of the security association 
becomes troublesome with increase in the number of access points. 

[0013] 

When a virtual private network technology is used in the core network of a 
mobile communication network and connections are provided to external 
networks, the problem occurs in the prior art that the connection to the private 
network is cut off when a terminal moves. 

[0014] 

The present invention was realized in view of the above-described 
circumstances and has as its first object the provision of a mobile communication 
network system and mobile communication method for realizing an improvement 
in the efficiency of circuit use when implementing communication between mobile 
terminals. 
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[0015J 

Another object of the present invention is to provide a mobile 
communication network system and mobile communication method for realizing 
an improvement in the efficiency of circuit use in the multicast communication of 
mobile terminals. 

[0016] 

It is yet another object of the present invention to provide a mobile 
communication network system and mobile communication method that 
eliminates the inconvenience of establishing a security association between 
mobile terminals or between nodes. 

[0017] 

Finally, it is another object of the present invention to provide a mobile 
communication network system and mobile communication method that can 
continue a private line connection between a mobile terminal and an external 
network without cutting off the private leased line connection when the mobile 
terminal implements handover. 

[0018] 

[Means to Solve the Problem] 

In order to attain the object described above, according to the present 
invention, 

a mobile communication network system that comprises a mobile 
communication network, a plurality of external networks, a plurality of mobile 
terminals, a plurality of gateways, and a plurality of access points, wherein said 
external networks and said mobile communication network are connected by said 
gateways, and said mobile terminals are connected to said mobile 
communication network by said access points, said system characterized in that 
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when packets are transmitted and received between said mobile terminals 
in said mobile communication network, the packets are communicated by way of 
virtual networks that are provided to correspond to each of said external 
networks on said mobile communication network, without passing said external 
networks. 

[0019] 

According to the present invention of claim 2, 
a mobile communication network system that comprises a mobile 
communication network, a plurality of external networks, a plurality of mobile 
terminals, a plurality of gateways, and a plurality of access points, wherein said 
external networks and said mobile communication network are connected by said 
gateways, and said mobile terminals are connected to said mobile 
communication network by said access points, said system characterized in that 

said mobile communication network is provided with means for offering 
virtual networks that correspond to each said external network, 

said gateways are provided with means for connecting said external 
networks to corresponding said virtual networks, 

said mobile terminals are provided with means for setting sessions with 
said access points for any of said external networks, 

said access points are provided with means for transferring packets that 
have been received from any of said sessions to a virtual network that has been 
prepared for an external network that corresponds to that session, 

said access points are provided with means for transferring packets, which 
have been received from said virtual network that corresponds to any external 
network, to a session that has been set for said external network by said mobile 
terminal that is the destination of these packets, and 
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private leased line connections are provided between said mobile 
terminals and said external networks, and when transmission or reception of 
packets is realized between said mobile terminals in said mobile communication 
network, the packets are communicated by way of virtual networks that are 
provided to correspond to each of said external networks on said mobile 
communication network. 

[0020] 

According to the mobile communication network system of the present 
invention of claim 3, characterized in that 

when said mobile terminal is to be handed over from a current access 
point to which it is currently connected to a new access point, said current access 
point is provided with means for transferring information of all sessions that said 
mobile terminal has set to said new access point, and 

said private leased line connection between said mobile terminal and said 
external network can be continued without interruption when said mobile terminal 
implements handover. 

[0021] 

According to the mobile communication network system of the present 
invention of claim 4, characterized in that 

when said mobile terminal is to be handed over from a current access 
point to which it is currently connected to a new access point, said new access 
point is provided with means for acquiring information of all sessions that said 
mobile terminal has set from said current access point, and 

said private leased line connection between said mobile terminal and said 
external network can be continued without interruption when said mobile terminal 
implements handover. 
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[0022] 

According to the mobile communication network system of the present 
invention of claim 5, characterized in that 

a mobility management node is arranged within said mobile 
communication network, 

said mobility management node comprises a plurality of virtual mobility 
management nodes that are prepared for each of said external networks, 

each of said virtual mobility management nodes is provided with means 
for transmitting and receiving packets only with a said virtual network that has 
been prepared for use by a corresponding external network, 

said mobile terminals is provided with means for reporting positional 
information to said virtual mobility management node that corresponds to said 
external network to which the mobile terminal is to be connected, 

each of said virtual mobility management nodes is further provided with 
means for holding positional information that has been reported from said mobi.e 
terminals and means for, when packets that are addressed to said mobile 
terminals are received, transferring these packets to positions that have been 
reported from said mobile terminals, and 

said virtual networks, that are prepared to correspond to each of said 
external networks on said mobile communication network, manages the position 
of said mobile terminals. 
[0023] 

According to the mobile communication network system of the present 
invention of claim 6, characterized in that 

said mobile communication network comprises a control/management 
virtual network, 
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said mobile communication network further comprises a means for 
transmitting and receiving, by way of said control/management virtua. network, 
packets for control and management that are exchanged between nodes that are 
arranged within said mobile communication network and that inc.ude said access 
points and said mobility management nodes; and means for refusing packets for 
control and management that have been received from sources other than said 
control/management virtual network, and 

the security of the communication among nodes arranged within said 
mobile communication network is ensured. 

[0024] 

According to the present invention of claim 7, 

a mobile communication method in a mobile communication network 
comprises a mobile communication network, a plurality of external networks, a 
plura.ity of mobile terminals, a P ,ura,ity of gateways, and a plurality of access 
points, wherein said externa, networks and said mobile communication network 
are connected by said gateways, and said mobile terminals are connected to 
said mobile communication network by said access points, said method 
characterized in that 

a said mobile terminal sets a session for any of said external networks 
with said access point, 

a said access point transfers packets that have been received from any 
said session to a virtua. network that has been prepared for each of said externa, 
networks that corresponds to the session, 

said access point transfers packets that have been received from said 
virtua. network that corresponds to any externa, network to the session that has 
been set for use of said externa, network by said mobile terminal that is the 
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destination of the packets, and 

private leased line connections are provided between said mobile 
terminals and said external networks, and when transmission or reception of 
packets is realized between said mobile terminals, the packets are 
communicated by way of virtual networks that are provided to correspond to each 
of said external networks on said mobile communication network, 

[0025] 

According to the mobile communication method of the present invention of 
claim 8, characterized in that 

when said mobile terminal is to be handed over from a current access 
point to which it is currently connected to a new access point, said current access 
point transfers information of a.l sessions that said mobile terminal has set to said 
new access point. 

[0026] 

According to the mobile communication method of the present invention of 
claim 9, characterized in that 

when said mobile terminal is to be handed over from a current access 
point to which it is currently connected to a new access point, said new access 
point acquires information of a.l sessions that said mobile terminal has set from 
said current access point. 

[0027] 

According to the mobile communication method of the present invention of 
claim 10, characterized in that 

a mobility management node that is arranged within said mobile 
communication network comprises a plurality of virtual mobility management 
nodes that are prepared for each of said external networks. 
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each of said virtual mobility management nodes transmits and receives 
packets only with a said virtual network that has been prepared for use by a 
corresponding external network, 

said mobile terminals report positional information to said virtual mobility 
management node that corresponds to said external network to which the mobile 
terminal is to be connected, 

each of said virtual mobility management nodes holds positional 
information that has been reported from said mobile terminals and, when packets 
that are addressed to said mobile terminals are received, transfers these packets 
to positions that have been reported from said mobile terminals, and 

said virtual networks, that are prepared to correspond to each of said 
external networks on said mobile communication network, manages the position 
of said mobile terminals. 

[0028] 

According to the mobile communication method of the present invention of 
claim 11, characterized in that 

said mobile communication network comprises a control/management 
virtual network, 

said mobile communication network transmits and receives, by way of 
said control/management virtual network, packets for control and management 
that are exchanged between nodes that are arranged within said mobile 
communication network and that include said access points and said mobility 
management nodes; and refuse packets for control and management that have 
been received from sources other than said control/management virtual network, 
and 

the security of the communication among nodes arranged within said 
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mobile communication network is ensured. 
[0029] 

The above-described configuration and means enables the transmission 
and reception of packets between mobile terminals and external networks. 
Further, when communication is realized between mobile terminals that are 
connected to the same external network, packets that have been transmitted 
from a mobile terminal by way of the session for use by that external network, 
following output from an access point, are transferred by way of the virtual 
network that is for use by that external network directly to the access point to 
which the mobile terminal of the communication partner is connected. The 
packets are then delivered to the mobile terminal of the communication partner 
by way of the session that has been set by the mobile terminal of the 
communication partner for use by this external network. In addition, multicast 
packets are transmitted as normal multicast packets on the virtual network for 
use by this external network, and after arriving at the access point, are delivered 
to the mobile terminal by way of the session for use by this external network. 
[0030] 

[Description of the Preferred Embodiment] 

Explanation next regards the details of preferable embodiments of the 
present invention with reference to the accompanying figures. 

[0031] 
(First Embodiment ) 

Explanation next regards the first embodiment with reference to Fig. 1 . Fig. 
1 shows the configuration of an overall network. The overall network is 
composed of: a plurality of external networks EX1, EX2, and EX3; mobile 
communication network MNW that is connected to these external networks; and 
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a plurality of mobile terminals X, Y, and Z that are connected to one or more of 
the external networks by way of mobile communication network MNW. The 
number of external networks and the number of mobile terminals are not limited 
to any specific number. 
[0032] 

Mobile communication network MNW is composed of: core network CN; a 
plurality of access networks ANa, ANb, and ANc; a plurality of radio drop lines; a 
plurality of wired drop lines; external network gateways EGW1, EGW2, and 
EGW3 that connect core network CN to the external networks; access network 
gateways AGWa, AGWb, and AGWc that connect core network CN to access 
networks; radio access points APa1 , APa2, APb1 , and APb2 that connect access 
networks and radio drop lines; and wired access points APc1 and APc2 that 
connect access networks to wired drop lines. The number of access networks 
and the number of access points are not limited to any specific numbers. 

[0033] 

Fig. 2 shows the logical configuration of core network CN. Core network 
CN uses an existing virtual private network technology such as multi-protocol 
label switching, and a plurality of virtual core networks are multiplexed on 
physical core network CN. In this example, virtual core network VCN1 for 
external network (1), virtual core network VCN2 for external network (2), virtual 
core network VCN3 for external network (3), and virtual core network VCNS for 
control/management are multiplexed. 

[0034] 

Fig. 3 shows the logical configuration of an access network. An access 
network uses an already existing virtual private network technology such as 
multiple-protocol label switching, a plurality of virtual access networks being 
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multiplexed on physical access network ANa. In this example, virtual access 
network VANal for external network (1), virtual access network VANa2 for 
external network (2), virtual access network VANa3 for external network (3), and 
virtual access network VANaS for control/management are multiplexed. 
[0035] 

Fig. 4 shows the logical configuration of a radio drop line or a wired drop 
line. Communication channel CH1 and authentication channel CH2 are 
multiplexed on physical drop line LD. Sessions between each mobile terminal 
and each external network are multiplexed on communication channel CH1. In 
this case, session Sx1 between mobile terminal (x)X and external network (1) 
EX1, session Sx2 between mobile terminal (x)X and external network (2) EX2, 
and session Sy1 between mobile terminal (y)Y and external network (1) EX1 are 
multiplexed on communication channel CH1. 

[0036] 

As for the identification and multiplexing/separation of authentication 
channel CH2 and communication channel CH1, if a dedicated construction has 
been prepared for this purpose through drop line LD link technology, this 
construction is used. Alternatively, if such a construction has not been prepared 
through link technology, connection identifiers are used to multiplex 
authentication channel CH2 and communication channel CH1 in the case of 
connection-directive link technology, and packet type identifiers are used to 
multiplex authentication channel CH2 and communication channel CH1 in the 
case of connectionless link technology. 

[0037] 

As for the multiplexing and separation and session identification between 
mobile terminals and external networks, a dedicated construction that has been 
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v prepared by the link technology for this purpose is used if such a construction 
exists. Alternatively, if such a construction has not been prepared in the link 
technology, connection identifiers are used to multiplex and separate sessions in 
the case of a connection-directive link technology, and packet-type identifiers and 
virtual network identifiers are used to multiplex and separate sessions in the case 
of connectionless link technology. 
[0038] 

Fig. 5 shows the configuration of an external network gateway. External 
network gateway EGW1 is composed of: external network-side transceiver TR01, 
external network gateway function EGF, external network gateway control 
function EGCF, virtual core network multiplexing-separation function CMUX1, 
and core network-side transceiver TR02. 

[0039] 

External network-side transceiver TR01 is connected to external network 
EX1 and transmits and receives packets. 
[0040] 

Core network-side transceiver TR02 is connected to core network CN and 
transmits and receives packets. 
[0041] 

Virtual core network multiplexing-separation function CMUX1 separates 
packets that have been received from core network-side transceiver TR02 for 
each virtual core network; supplies as input to external network gateway function 
EGF packets that have been transferred in on external network (1) virtual core 
network VCN1 that corresponds to connected external network EX1; or supplies 
as input to external network gateway control function EGCF packets that have 
been transmitted in on control/management virtual core network VCNS. 
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[0042] 

Virtual core network multiplexing/separation function CMUX1 further 
transfers packets that have been received from external network gateway 
function EGF to the corresponding external network (1) virtual core network 
VCN1. transfers packets that have been received from external network gateway 
control function EGCF to control/management virtual core network VCNS, 
multiplexes these virtual core networks and supplies output to core network-side 
transceiver TR02. 

[0043] 

External network gateway function EGF performs routing and filtering of 
packets between external network EX1 and core network CN. 
[0044] 

External network gateway control function EGCF performs settings for 
filtering and path settings to external network gateway function EGF. 
[0045J 

Fig. 6 shows the configuration of an access network gateway. Access 
network gateway ANGa is composed of: core network-side transceiver TR03a. 
virtual core network multiplexing/separation function CMUXa, external network 
(1) virtual access network gateway VAGWIa, external network (2) virtual access 
network gateway VAGW2a, external network (3) virtual access network gateway 
VAGW3a, control/management virtual access network gateway VAGWSa, virtual 
access network multiplexing/separation function AMUXIa, and access network- 
side transceiver TR04a. 

[0046] 

Core network-side transceiver TR03a is connected to core network CN 
and transmits and receives packets. 

22 



FROM hAXi*BHSm*BF/T 



2009£ 3R\ 7B (Hi) 11 :48/gffill :43/£SS^480 1505094 P 26 



[0047] 

Access network-side transceiver TR04a is connected to access network 
ANa, and transmits and receives packets. 
[0048] 

Virtual core network multiplexing/separation function CMUXa separates 
packets that have been received from core network-side transceiver TR03a for 
each virtual core network, supplies packets that have been received from 
external network (1) virtual core network VCN1 as output to external network (1) 
virtual access network gateway VAGWIa, and performs similar processing for 
external network (2) virtual core network VCN2, external network (3) virtual core 
network VCN3, and control/management virtual core network VCNS. 

[0049] 

Virtual core network multiplexing/separation function CMUXa supplies 
packets that have been received as input from external network (1) virtual access 
network gateway VAGWIa to external network (1) virtual core network VCN1; 
performs similar processing for external network (2) virtual access network 
gateway VAGW2a, external network (3) virtual access network gateway 
VAGW3a, and control/management virtual access network gateway VAGWSa; 
multiplexes each virtual core network; and supplies output to core network-side 
transceiver TR03a. 

[0050] 

Virtual access network multiplexing/separation function AMUXIa 
separates packets that have been received as input from access network-side 
transceiver TR04 for each virtual access network; supplies packets that have 
been received from external network (1) virtual access network VANal as output 
to external network (1) virtual access network gateway VAGWIa; and performs 
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" similar processing for external network (2) virtual access network VANa2, 
external network (3) virtual access network VANa3, and control/management 
virtual access network VANaS. 
[0051] 

Virtual access network multiplexing/separation function AMUXIa supplies 
packets that have been received as input from external network (1) virtual access 
network gateway VAGWIa as output to external network (1) virtual access 
network VANal ; performs similar processing for external network (2) virtual 
access network gateway VAGW2a, external network (3) virtual access network 
gateway VAGW3a, and control/management virtual access network gateway 
VAGWSa; multiplexes each virtual access network; and supplies output to 
access network-side transceiver TR04a. 
[0052J 

External network (1) virtual access network gateway function VAGWIa 
performs routing and filtering of packets between external network (1) virtual core 
network VCN1 and external network (1) virtual access network VANal . The 
same holds true for external network (2) virtual access network gateway function 
VAGW2a and external network (3) virtual access network gateway function 
VAGW3a. 

[0053] 

In addition to the above-described functions, control/management virtual 
access network gateway function VAGWSa sets the filtering and sets the path to 
each of virtual access network gateway functions VAGWIa, VAGW2a, and 
VAGW3a. 

[0054] 

Fig. 7 shows the configuration of a mobile terminal. Mobile terminal X is 
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made up by: radio transceiver TR05, channel multiplexing/separation function 
CHMUX1, packet authentication function PAUTH1, session 
multiplexing/separation function SMUX, terminal authentication function TAUTH2, 
and communication entities ENT1 and ENT2 to a plurality of home networks. 
[0055] 

Radio transceiver TR05 transmits packets to and receives packets from 
radio drop lines. 
[0056] 

Channel multiplexing/separation function CHMUX1 performs multiplexing 
and separation of the authentication channels CCH and communication channels 
TCH on radio drop lines. Packets on authentication channels CCH are 
transmitted to and received from terminal authentication function TAUTH2, and 
packets on communication channels TCH are transmitted to and received from 
packet authentication function PAUTH1. 

[0057] 

Terminal authentication function TAUTH2 includes the mobile 
communication network information management table shown in Fig. 8, the 
home network information management table shown in Fig. 9, and the session 
information management table shown in Fig. 10. 

[0058] 

The mobile communication network information management table that is 
shown in Fig. 8 includes terminal ID 1 10 and mobile communication network- 
mobile terminal security association 111. Terminal ID 1 10 is an ID for uniquely 
identifying terminals within the mobile communication network. Mobile 
communication network-mobile terminal security association 111 is information 
for carrying out authentication between a mobile communication network and 
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mobile terminals. This information is assumed to be set in advance in mobile 
terminal X. 
[0059] 

The home network information management table that is shown in Fig. 9 
holds one or more items of information that are each composed of the set of 
home network ID 210, home network terminal ID 220, and home network-mobile 
terminal security association 230. Home network ID 210 is an ID for uniquely 
identifying home networks. Terminal ID 220 is an ID for uniquely identifying 
terminals within a home network. Home network-mobile terminal security 
association 230 is information for carrying out authentication between a home 
network and a mobile terminal. This information is assumed to be set in advance 
in mobile terminal X. 

[0060] 

The session information management table that is shown in Fig. 10 
includes one or more items of information that are each composed of the set of: 
home network ID 310, access point ID 320, access point-mobile terminal 
security association 330, session ID 340, and link information 350. 

[0061] 

This information is set when mobile terminal X performs terminal 
authentication, which is to be explained hereinbelow. Access point ID 320 is the 
ID of the access point to which the terminal is currently connected. Access point- 
mobile terminal security association 330 is information for authenticating, of 
packets that are transmitted and received between an access point and a 
terminal, packets other than authentication requests and authentication 
responses. Session ID 340 is ID for identifying the session that has been set with 
an access point, a session being prepared for each communication with a home 
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network. Link information 350 is information that is specific to each link that is 
used for identifying the session and for multiplexing/separation. Link information 
350 depends on the link technology that is employed, and is, for example, a 
connection identifier or virtual private network identifier. 
[0062] 

Packet authentication function PAUTH1, based on previously described 
access point-mobile terminal security association 330, authenticates packets 
that have been received as input from channel multiplexing/separation function 
CHMUX1, and supplies only authenticated packets as output to session 
multiplexing/separation function SMUX. 

[0063] 

In addition, packet authentication function PAUTH1, based on the 
previously described access point-mobile terminal security association 330, 
appends an authentication code to packets that have been received as input 
from session multiplexing/separation function SMUX, and applies these packets 
as input to channel multiplexing/separation function CHMUX1 . 

[0064] 

Session multiplexing/separation function SMUX, based on the previously 
described link information 350, determines the session that packets that have 
been received as input from packet authentication function PAUTH1 belong, and 
then turn over these packets to communication entity ENT1 or ENT2 of the 
corresponding home network. Session multiplexing/separation function SMUX 
further uses link information 350 of the corresponding session to make settings 
such that packets that have been handed over from the communication entities 
ENT1 and ENT2 of home networks are transmitted, and supplies the packets as 
output to packet authentication function PAUTH1 . 
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[0065] 

Explanation next regards the procedures of terminal authentication with 
reference to Fig. 13. 
[0066] 

When mobile terminal X initiates communication with a home network, 
terminal authentication function TAUTH2 generates authentication request 
packet 400 that is shown in Fig. 11 and transmits the authentication request 
packet to an access point. When generating an authentication request packet, 
the mobile terminal X does not set anything in old access point ID 401 when 
mobile terminal X first connects to the mobile communication network. When 
there is an access point that was previously connected, the mobile terminal sets 
ID 320 of this access point in old access point ID 401 (Step S131). 

[0067] 

Appropriate information is set in mobile terminal ID 402, home network ID 
404, and home network mobile terminal ID 405 of a authentication request 
packet based on the mobile communication network information management 
table (Fig. 8) and the home network information management table (Fig. 9). 
Further, information that is necessary for a mobile communication network to 
authenticate a mobile terminal is set in mobile communication network mobile 
terminal authentication code 403 based on mobile communication network- 
mobile terminal security association 1 1 1 , and information that is necessary for a 
home network to authenticate mobile terminal X is set in home network mobile 
terminal authentication code 406 based on home network-mobile terminal 
security association 230. Values are set as described above to generate 
authentication request packet 400 (Step 132), and authentication request packet 
400 is then transmitted to access point (Step 133). 
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[0068] 

In response, the access point returns the authentication response packet 
that is shown in Fig. 12. The returned authentication response packet is received 
(Step 134), and if authentication result 502 that is set in the authentication 
response packet indicates success, access point ID 501, access point-mobile 
terminal security association information 506, session ID 507, and link 
information 508 that are set in the authentication response packet are saved in 
session information management table (Step 135). 

[0069] 

Fig. 14 shows the configuration of a radio access point. Radio access 
point APa1 is made up from: access network-side transceiver TR06a, virtual 
access network multiplexing/separation function AMUX2a, session-external 
network mapping function MAPI, access point control/management function 
APM1, terminal authentication function TAUTH1, packet authentication function 
PAUTH2, session information handover function HOF1, session information 
management table SMT1 , channel multiplexing/separation function CHMUX2, 
and radio transceiver TR07a. 

[0070] 

Access network-side transceiver TR06a is connected to access network 
ANa and transmits and receives packets. 
[0071] 

Radio transceiver TR07a transmits packets to and receives packets from 
radio drop lines. 
[0072] 

Virtual access network multiplexing/separation function AMUX2a 
separates packets that have been received as input from access network-side 
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transceiver TR06a for each virtual access network; applies packets that are on 
external network (1) virtual access network VANal , external network (2) virtual 
access network VANa2, and external network (3) virtual access network VANa3 
as input to session-external network mapping function MAPI; and applies 
packets that are on control/management virtual core network VANaS as input to 
access point control/management function APM1. 
[0073] 

Virtual access network multiplexing/separation function AMUX2a further 
multiplexes, on each virtual access network, packets that have been received as 
input from session-external network mapping function MAPI and that are 
directed to external network (1) virtual access network VANal , external network 
(2) virtual access network VANa2, and external network (3) virtual access 
network VANa3, and packets that have been received as input from access point 
control/management function APM1 and that are directed to control/management 
virtual access network VANaS, and supplies the result as output to access 
network-side transceiver TR06a, 

[0074] 

Channel multiplexing/separation function CHMUX2 separates signals that 
are received as input from radio transceiver TR07a for each channel, supplies 
the communication channels as input to packet authentication function PAUTH2, 
and supplies the authentication channels as input to terminal authentication 
function TAUTH1. Channel multiplexing/separation function CHMUX2 further 
multiplexes packets that have been received as input from packet authentication 
function PAUTH2 on the communication channel, multiplexes packets that have 
been received as input from terminal authentication function TAUTH1 on the 
authentication channel, and supplies the result as output to radio transceiver 
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TR07a. 

[0075] 

Session information management table SMT1 holds the content that is 
shown in Fig. 15. This content is: mobile terminal ID 610, external network ID 620 
to which that terminal is connected, access point-mobile terminal security 
association 630 for authenticating packets from mobile terminals, session ID 640 
for identifying sessions between mobile terminals and external networks, and link 
information 650 for identifying sessions; and the significance is equivalent to the 
information that is set in a mobile terminal. This information is set based on 
procedures that are to be explained hereinbelow by the terminal authentication 
function when a mobile terminal first connects to a network and carries out 
terminal authentication. 

[0076] 

Packet authentication function PAUTH2 authenticates packets that have 
been received as input from channel multiplexing/separation function CHMUX2 
based on access point-mobile terminal authentication security association 630 
that is held in session information management table 600 that is shown in Fig. 15, 
and supplies the packets as output to session-external network mapping function 
MAPI. 

[0077] 

Packet authentication function PAUTH2 further, based on access point- 
mobile terminal authentication security association 630 that is held in session 
information management table 600 that is shown in Fig. 15, appends an 
authentication code to packets that have been received as input from session- 
external network mapping function MAPI, and then supplies the packets as 
output to channel multiplexing/separation function CHMUX2. 
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[0078] 

Session-external network mapping function MAPI checks the packets 
that have been received as input from packet authentication function PAUTH2, 
and identifies the session based on link information 650 that is held in session 
information management table 600 that is shown in Fig. 15. Session-external 
network mapping function MAPI then, based on external network ID 620 that 
corresponds to this session, distributes the packets to the appropriate external 
network virtual access network and applies the packets as input to virtual access 
network multiplexing/separation function AMUX2a. 

[0079] 

Session-external network mapping function MAPI further checks packets 
that have been received as inpui from virtual access network 
multiplexing/separation function AMUX2a and identifies the session based on 
external network ID 620 and mobile terminal ID 610 that are held in session 
information management table 600 that is shown in Fig. 15. Session-external 
network mapping function MAPI then uses the appropriate link information that 
corresponds to this session to perform settings for transmission, and supplies the 
packets as output to packet authentication function PAUTH2. 

[0080] 

When the mobile terminal that is the destination of packets that have been 
received from a mobile terminal is subordinate to the same access point, 
session-external network mapping function MAPI simply transmits these 
packets back without alteration. 

[0081] 

Access point control/management function APM1 supplies packets that 
have been received as input from terminal authentication function TAUTH1 and 
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session information handover function HOF1 as output to virtual access network 
multiplexing/separation function AMUX2a; and separates packets that have been 
received as input from virtual access network multiplexing/separation function 
AMUX2a and then supplies the separated packets to terminal authentication 
function TAUTH1 and session information handover function HOF1. 
[0082] 

Explanation next regards the procedures for authentication of a terminal 
using the flow chart that is shown in Fig. 20. 
[0083] 

Upon receiving from channel multiplexing/separation function CHMUX2 
the authentication request packet that is shown in Fig. 1 1 that has been received 
from a mobile terminal, terminal authentication function TAUTH1 generates the 
authentication request packet that is shown in Fig. 16 and supplies this packet to 
access point control/management function APM1 for transmission to the mobile 
communication network authentication server. 

[0084] 

Upon receiving from access point control/management function AMP1 the 
authentication response packet that is shown in Fig. 17 that has been received 
from the mobile communication network authentication server, terminal 
authentication function TAUTH1 first, if authentication result 802 of the 
authentication response packet indicates success, determines the ID used by the 
session between this mobile terminal X and external network 620 and determines 
link information 650 that is used by this session. 

[0085] 

Terminal authentication function TAUTH1 then saves the content of the 
authentication response packet in the corresponding field of session information 
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management table 600 that is shown in Fig. 15, and further, saves the generated 
session ID and link information in the corresponding fields of session information 
management table 600. Terminal authentication function TAUTH1 further 
generates the authentication response packet that is shown in Fig. 12 and 
supplies this packet as output to channel multiplexing/separation function 
CHMUX2 for transmission to a terminal. 
[0086] 

Explanation next regards a portion of the procedures of transferring 
session information with reference to the flow chart of Fig. 21. 
[0087] 

When the mobile terminal moves to the jurisdiction of another access point, 
session information handover function HOF1 generates the session information 
report packet that is shown in Fig. 18 based on the session information of that 
terminal (mobile terminal ID 610, external network ID 620, access point-mobile 
terminal authentication security association 630, session ID 640, and link 
information 650) that is saved in session information management table (Fig. 15), 
and supplies this session information report packet as output to access point 
control/management function APM1 for transmission to the access point of the 
destination of movement of the mobile terminal. 

[0088] 

Session information handover function HOF1 further, upon receiving 
session information report packet 900 that is shown in Fig. 18 from another 
access point, saves mobile terminal ID 902, external network ID 903, access 
point-mobile terminal authentication security association 904, session ID 905, 
and link information 906 in session information management table (Fig. 15). 

[0089] 
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Explanation next regards a portion of the procedures of transferring 
session information using the flow chart of Fig. 20. 
[0090] 

When an old access point ID has been set in authentication request 
packet 700 from mobile terminal X, terminal authentication function TAUTH1 
reports this information to session information handover function HOF1 instead of 
carrying out the previously described authentication procedures. Session 
information handover function HOF1 generates session information handover 
request packet 1000 that is shown in Fig. 19 and transmits this packet to the old 
access point. 

[0091] 

Session information handover function HOF1, upon receiving session 
information handover request packet 1000 that is shown in Fig. 19, transmits the 
session information handover report packet that is shown in Fig. 18 by the 
previously described procedures. 

[0092] 

In the case of a wired access point, the configuration is identical to the 
case for a radio access point with the exception that radio transceiver TR07a is a 
transceiver for a wired line, and explanation is therefore here omitted. 

[0093] 

Fig. 22 shows the configuration of a mobile communication network 
authentication server. Mobile communication network authentication server 
MAS1 is made up from: transceiver TR08, virtual core network 
multiplexing/separation function CMUXM, terminal authentication function 
TAUTH, external network determination function EDEC1, and home network 
authentication server communication function HASC1. 
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[0094] 

Transceiver TR08 transmits packets to and receives packets from the core 
network CN. 
[0095] 

Virtual core network multiplexing/separation function CMUXM separates 
packets that have been received as input from transceiver TR08 for each virtual 
core network; supplies packets that are received from external network (1) virtual 
core network VCN1, external network (2) virtual core network VCN2, and 
external network (3) virtual core network VCN3 as output to home network 
authentication server communication function HASC1; and supplies packets that 
are received from control/management virtual core network VCNS as output to 
terminal authentication function TAUTH. 

[0096] 

Packets that have been received as input from home network 
authentication server communication function HASC1 and that are directed to 
external network (1) virtual core network VCN1, external network (2) virtual core 
network VCN2, and external network (3) virtual core network VCN3 are 
multiplexed for each virtual network with packets that have been received as 
input from terminal authentication function TAUTH and that are directed to 
control/management virtual core network VCNS and supplied as output to 
transceiver TR08. 

[0097] 

Explanation next regards the processing of packets relating to terminal 
authentication with reference to the flow chart shown in Fig. 27. 
[0098] 

Terminal authentication function TAUTH holds the terminal information 
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management table that is shown in Fig. 23. Upon receiving, from virtual core 
network multiplexing/separation function CMUXM, authentication request packet 
700 that is shown in Fig. 16 that has been received from a radio access point or 
a wired access point, terminal authentication function TAUTH authenticates this 
packet based on terminal ID 1 1 10 and mobile communication network-mobile 
terminal security association 1 120 of the terminal information management table 
of Fig. 23. A successful authentication indicates that the mobile terminal has 
been authenticated in the mobile communication network. 
[0099] 

At this time, terminal authentication function TAUTH refers to external 
network determination function EDEC1 for the external network ID that 
corresponds to the home network ID. External network determination function 
EDC1 holds the home network-external network correspondence table that is 
shown in Fig. 24 and answers external network ID 1220 based on this table. At 
this time, terminal authentication function TAUTH requests home network 
authentication server communication function HASC1 for the authentication of 
the mobile terminal to the home network. 

[0100] 

In response, home network authentication server communication function 
HASC1 generates authentication request packet 1300 that is shown in Fig. 25, 
selects the corresponding external network virtual core network for transmitting to 
the authentication server of the home network, and supplies generated 
authentication request packet 1300 to virtual core network 
multiplexing/separation function CMUXM. 

[0101] 

In response, the home network authentication server authenticates the 
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packets based on the home network mobile terminal ID and the home network- 
mobile terminal security association that is held in the home network, and replies 
with authentication response packet 1400 that is shown in Fig. 26. 
[0102] 

Upon receiving as input authentication response packet 1400 that is 
shown in Fig. 26 from virtual core network multiplexing/separation function 
CMUXM, home network authentication server communication function HASC1 
supplies this packet as output to terminal authentication function TAUTH. At this 
time, the mobile terminal has been authenticated in both the mobile 
communication network and the home network. 

[0103] 

Terminal authentication function TAUTH produces an access point-mobile 
terminal security association that is used for authenticating packets between the 
access point and the mobile terminal, generates authentication response packet 
800 that is shown in Fig. 17, and supplies this packet as output to virtual core 
network multiplexing/separation function CMUXM for transmission to the access 
point. 

[0104] 

Explanation next regards the overall progression of mobile terminal 
authentication procedures that have been described to this point with reference 
to Fig. 28. 

[0105] 

Mobile terminal X first generates authentication request packet 400 that is 
shown in Fig. 1 1 and transmits this packet to access point APa1 by way of 
authentication channel M01. 

[0106] 
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Access point APa1, having received this packet, generates authentication 
request packet 700 that is shown in Fig. 16 and transmits this packet to mobile 
communication network authentication server MAS by way of 
control/management virtual access network VANaS. Midway, access network 
gateway AGWa transfers the packet that has been received from 
control/management virtual access network VANaS to control/management 
virtual core network VCNS. 

[0107] 

Mobile communication network authentication server MAS, having 
received this packet, both authenticates the mobile terminal and generates 
authentication request packet 1300 that is shown in Fig. 25, and transmits this 
packet to home network authentication server HAS1 by way of external network 
virtual core network VCN1 that corresponds to the destination home network. 
Midway, external network gateway EGW1 transfers the packet that has been 
received from external network virtual core network VCN1 to external network (1) 
EX1. 

[0108] 

Home network authentication server HAS, having received this packet, 
both authenticates the mobile terminal and generates authentication response 
packet 1400 that is shown in Fig. 26 and transmits this packet to mobile 
communication network authentication server MAS. Midway, external network 
gateway EGW1 transfers the packet that has been received from external 
network EX1 to external network virtual core network VCN1. 

[0109] 

Mobile communication network authentication server MAS, having 
received this packet, both generates an access point-mobile terminal security 
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association and generates authentication response packet 800 that is shown in 
Fig. 17, and transmits this packet to access point APa1 by way of 
control/management virtual core network VCNS. Midway, access network 
gateway AGWa transfers the packet that has been received from 
control/management virtual core network VCNS to control/management virtual 
access network VANaS. 
[0110] 

Access point APa1 , having received this packet, saves access point- 
mobile terminal security association 506, generates both session ID 507 and the 
corresponding link information 508 as well as authentication response packet 
500 that is shown in Fig. 12, and further, transmits this packet to mobile terminal 
X by way of the authentication channel. 

[0111] 

Mobile terminal X, having received this packet, saves access point-mobile 
terminal security association 506, session ID 507, and the corresponding link 
information 508. 

[0112] 

By proceeding through the above-described procedures, the terminal 
authentication of the mobile terminal, the mobile communication network, and the 
home network is completed, and a session for communication with an external 
network, link information for this session, and a security association are set 
between a mobile terminal and an access point. 

[0113] 

Explanation next regards the flow of the transmission and reception of 
packets following terminal authentication based on Fig. 29. 
[0114] 
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First, when communication entity ENT1 for each home network on mobile 
terminal X transmits packets, a session that corresponds to the home network is 
selected. Then, using the link information for this session, packets are 
transmitted on communication channel CH1 to access point APa1. 

[0115] 

In access point APa1 , packet authentication is first realized for the packets 
that have been received- The external network that corresponds to the session to 
which the packets belong is then selected, the selected external network in this 
case being external network (1); and the packets are supplied as output to the 
virtual access network for this external network, the virtual access network in this 
case being VANal. 

[0116] 

If the communication partner is subordinate to the same virtual access 
network, these packets are transmitted to the access point to which the 
communication partner is connected- If the communication partner is under a 
different access network or in an external network, the packets are supplied as 
output by way of access network gateway AGWa to the virtual core network, in 
this case VCN1 , that corresponds to the virtual access network, in this case 
VANal 

[0117] 

Further, if the communication partner is under the jurisdiction of another 
access network, the packets are transferred to that access network gateway by 
way of a virtual core network, in this case VCN1. If the communication partner is 
in an external network, the packets are supplied as output to the external network 
by way of an external network gateway, in this case EGW1. 

[0118] 
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The flow of processing when a mobile terminal receives packets is next 
shown. 

[0119] 

When packets from external network (1) EX1 arrive, these packets are 
transferred on the corresponding virtual core network VCN1. These packets are 
transferred on the corresponding virtual access network VANal by way of access 
network gateway AGWa of the access network in which the mobile terminal is 
currently located. When access point APa1 receives the packets from the virtual 
access network for a particular external network, a session is selected based on 
this external network and the ID of the mobile terminal that is the destination of 
the packets. 

[0120] 

A packet authentication code is then appended to the packets, and, using 
link information that corresponds to the session, the packets are then transmitted 
on communication channel CH1 to mobile terminal X. 

[0121] 

Upon receiving the packets, mobile terminal X carries out packet 
authentication, and then, based on the session to which the packets belong, 
passes the packets to the communication entity for the appropriate home 
network. 

[0122] 

As one example, Fig. 30 shows the procedures for positional registration 
of mobile terminal X when mobility management node MA1 is arranged in 
external network EX1. Because this processing is performed through the use of 
an already existing technology such as mobile IP, only a summary will be shown. 
Positional registration request packet M30 is transmitted to mobility management 
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node MA1 according to the previously described flow of packets. 
[0123] 

Upon receiving this packet, mobility management node MA1 holds the 
position of the terminal and returns positional registration response packet M31 
to mobile terminal X. Packets that are transmitted from other terminals addressed 
to this mobile terminal are first delivered to mobility management node MA1 , and 
based on the positional information that is registered, the mobility management 
node transfers these packets to mobile terminal X. 

[0124] 

Fig. 31 and Fig. 32 show the procedures for a case in which a mobile 
terminal is handed over from one access point to another access point. 
[0125] 

There are three forms for this handover: (1) a form in which the mobile 
terminal determines that handover to a new access point will be carried out, and 
reports the new access point to the old access point to which it is currently 
connected; (2) a form in which the access point to which the mobile terminal is 
connected determines the new access point to which the mobile terminal is to be 
handed over and reports this to the mobile terminal; and (3) a form in which, after 
the mobile terminal has been connected to the new access point, the mobile 
terminal then reports to the new access point the old access point to which it was 
previously connected. 

[0126] 

Fig. 31 shows the procedures for first two of these forms. When old 
access point APo itself determines the new access point APn that is the 
handover destination of mobile terminal X, or when the new access point APn 
that is the handover destination is notified from mobile terminal X, the old access 
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point APo before movement extracts all of the session information for this mobile 
terminal from the session information table, produces a session information 
handover report packet that is shown in Fig. 18, and transmits this packet to new 
access point APn after movement. 
[0127] 

If the new access point is subordinate to another access network at this 
time, the packet is transferred by way of an access network gateway. The new 
access point APn sets this information in a session information management 
table. 

[0128] 

Fig. 32 shows the procedures for the third form of the three handover 
forms described above. When the new access point APn after movement 
receives the authentication request packet that is shown in Fig. 1 1 from the 
mobile terminal, access point APn, based on the old access point ID that is set in 
this packet, transmits the session information handover request that is shown in 
Fig. 19 to access point APo, which is the old access point before movement. 

[0129] 

Old access point APo extracts all session information for this mobile 
terminal from this session information table, produces the session information 
handover report packet that is shown in Fig. 18, and transmits this packet to 
access point APn, which is the new access point after movement. The new 
access point sets this information in a session information management table. 

[0130] 

By means of the above-described procedures, a mobile terminal can 
continue communication with the same external network when moving to the 
jurisdiction of another access point. 
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[0131] 
(Second Embodiment) 

Explanation next regards the second embodiment of the present invention 
with reference to Fig. 33. The configuration of the mobile communication 
network of Fig. 33 is essentially identical to that of Fig. 1 , with the exception of 
the addition of local mobility management node LMA1 to the core network. 

[0132] 

Fig. 34 shows the configuration of local mobility management node LMA1 . 
Local mobility management node LMA1 is made up from; transceiver TR09, 
virtual core network multiplexing/separation function CMUXL, external network 
(1) virtual local mobility management node VLMA1, external network (2) virtual 
local mobility management node VLMA2, external network (3) virtual local 
mobility management node VLMA3, and control/management virtual local 
mobility management node VLMAS. 

[0133] 

Transceiver TR09 is connected to core network CN and transmits and 
receives packets. 
[0134] 

Virtual core network multiplexing/separation function CMUXL separates 
packets that are received as input from core network-side transceiver TR09 for 
each virtual core network, supplying packets that have been received from 
external network (1) virtual core network VCN1 to external network (1) virtual 
local mobility management node VLMA1 , and carrying out similar operations for 
external network (2) virtual core network VCN2, external network (3) virtual core 
network VCN3, and control/management virtual core network VCNS. 

[0135] 
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Virtual core network multiplexing/separation function CMUXL further 
supplies packets that have been received as input from external network (1) 
virtual local mobility management node VLMA1 as output to external network (1) 
virtual core network VCN1 , performs similar processing for external network (2) 
virtual local mobility management node VLMA2, external network (3) virtual local 
mobility management node VLMA3, and control/management virtual local 
mobility management node VLMAS, multiplexes each virtual core network, and 
supplies the result to transceiver TR09. 

[0136] 

Each of the virtual local mobility management nodes employs an already 
existing technology such as Mobile IP, and these procedures are next described 
using Fig. 35. Mobile terminal X transmits a positional registration request to 
external network (1) virtual local mobility management node VLMA1. External 
network (1) virtual local mobility management node VLMA1, having received this 
request, holds the positional information of the mobile terminal and transmits a 
positional registration response. 

[0137] 

When packets addressed to mobile terminal X are sent in, external 
network (1) virtual local mobility management node VLMA1 also transfers these 
packets to the position that was reported from mobile terminal X, whereby a 
function for supporting the movement of the terminal on the virtual network is 
provided. 

[0138] 

Although the present invention has been described hereinabove by 
presenting preferable embodiments and working examples, the present invention 
is not necessarily limited to the above-described embodiments and working 
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examples and is open to various modifications within the scope of the technical 
concept of the invention. 
[0139] 

[Effects of the Invention] 

The present invention as described hereinabove can realize the following 
effects: 

[0140] 

When realizing communication between mobile terminals in the prior art, 
packets were transferred by way of external network gateways. In contrast, when 
realizing communication between mobile terminals in the present invention, 
communication is realized by returning at the access point when each of the 
mobile terminals is under the jurisdiction of the same access point, 
communication is realized by way of the access network when each of the mobile 
terminals is under the jurisdiction of the same access network, and 
communication is realized by way of a core network when each of the mobile 
terminals is under the jurisdiction of different access networks, whereby the 
efficiency of circuit use of core networks and access networks can be improved. 

[0141] 

Moreover, regarding multicast communication, the efficiency of circuit use 
in the prior art was poor because multicast packets were copied a number of 
times equal to the number of mobile terminals that receive multicast packets in 
an external network gateway and then transferred to mobile terminals on tunnels. 
In the present invention, however, packets on core networks or access networks 
are transferred using multicast, and the efficiency is therefore improved. 

[0142] 

In addition, according to the present invention, private networks are 
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formed by virtual core networks and virtual access networks, whereby the 
inconvenience of establishing a security association between mobile terminals 
can be eliminated. 
[0143] 

According to the present invention, moreover, communication between 
nodes on a mobile communication network is protected by means of 
control/management virtual core networks and virtual access networks, whereby 
the inconvenience of establishing a security association between nodes can be 
eliminated. 

[0144] 

Finally, according to the present invention, the private leased line 
connection between a mobile terminal and an external network can be continued 
without interruption when mobile terminals implement handover. 
[Brief Description of the Drawings] 

[Fig. 1] A diagram showing the configuration of an overall network 
according to the first embodiment of the present invention. 

[Fig. 2] A diagram showing the relation between a core network and a 
virtual core network that is multiplexed on the core network in the first 
embodiment of the present invention. 

[Fig. 3] A diagram showing the relation between a core network and a 
virtual access network that is multiplexed on the core network in the first 
embodiment of the present invention. 

[Fig. 4] A diagram showing the relation between radio or wired drop lines, 
authentication channels that are multiplexed on these lines, and communication 
channels; and the relation between mobile terminals that are multiplexed on 
communication channels and the sessions between external networks. 
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[Fig. 5] A diagram showing the configuration of an external network 
gateway in the first embodiment of the present invention. 

[Fig. 6] A diagram showing the configuration of an access network 
gateway in the first embodiment of the present invention. 

[Fig. 7] A diagram showing the configuration of a mobile terminal in the 
first embodiment of the present invention. 

[Fig. 8] A diagram showing the configuration of a mobile communication 
network information management table that is held by a mobile terminal. 

[Fig. 9] A diagram showing the configuration of a home network 
information management table that is held by a mobile terminal. 

[Fig. 10] A diagram showing the configuration of a session information 
management table that is held by a mobile terminal. 

[Fig. 11] A diagram showing the content of an authentication request 
packet that is transmitted to an access point by a mobile terminal. 

[Fig. 12] A diagram showing the content of an authentication response 
packet that is transmitted to a mobile terminal by an access point. 

[Fig. 13] A diagram showing a flow chart showing the procedures for 
terminal authentication. 

[Fig. 14] A diagram showing the configuration of an access point. 

[Fig. 15] A diagram showing the configuration of a session information 
management table of an access point. 

[Fig. 16] A diagram showing the content of an authentication request 
packet that is transmitted to a mobile communication network authentication 
server by an access point. 

[Fig. 17] A diagram showing the content of an authentication response 
packet that is transmitted to an access point by a mobile communication network 
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authentication server. 

[Fig. 18] A diagram showing the content of a session information report 
packet that is transmitted to a new access point by the old access point. 

[Fig. 19] A diagram showing the content of a session information request 
packet that is transmitted to the old access point by the new access point. 

[Fig. 20] A diagram showing a flow chart showing the processing of 
packets relating to terminal authentication in an access point. 

[Fig. 21] A diagram showing a flow chart showing the processing for 
transmission of session information handover report packets in an access point. 

[Fig. 22] A diagram showing the configuration of a mobile communication 
network authentication server. 

[Fig. 23] A diagram showing the configuration of a mobile terminal 
information management table. 

[Fig. 24] A diagram showing the configuration of a home network-external 
network correspondence table. 

[Fig. 25] A diagram showing the content of an authentication request 
packet that is transmitted to a home network authentication server by a mobile 
communication network authentication server. 

[Fig. 26] A diagram showing the content of an authentication response 
packet that is transmitted to a mobile communication network authentication 
server by a home network authentication server. 

[Fig. 27] A diagram showing a flow chart showing the procedures of 
terminal authentication in a mobile communication network authentication server. 

[Fig. 28] A diagram showing the procedures of terminal authentication. 

[Fig. 29] A diagram showing the flow of transmission and reception of 
packets. 
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[Fig. 30] A diagram showing the flow of positional registration to a mobility 
management node of a home network. 

[Fig. 31] A diagram showing the procedures for transferring session 
information to a new access point from the old access point. 

[Fig. 32] A diagram showing the procedures for requesting transfer of 
session information from the new access point to the old access point. 

[Fig. 33] A diagram showing the overall configuration in the second 
embodiment of the present invention. 

[Fig. 34] A diagram showing the configuration of a local mobility 
management node in the second embodiment of the present invention. 

[Fig. 35] A diagram showing the procedures for positional registration to a 
local mobility management node. 

[Description of Numbers] 

Exn: external network (n) 

MNW: mobile communication network 

CN: core network 

MAn: mobility management node (n) 

HASrr: home network authentication server (n) 

EGWn: external network gateway (n) 

MAS: mobile communication network authentication server 

AGWa: access network gateway (a) 

ANa: access network (a) 

APan: radio access point (a-n) 

X, Y, Z: mobile terminal 

LMA1 : local mobility management node 

VCNn: virtual core network for external network (n) 
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VCNS: virtual core network for control/management 

VANan: virtual access network (a) for external network (n) 

VANaS: virtual access network (a) for control/management 

San: session between mobile terminal (a) and external network (n) 

CH1: communication channel 

CH2: authentication channel 

LD: wired drop line or radio drop line 

EGWn: external network gateway (n) 

EGF: external network gateway function 

EGCF: external network gateway control function 

CMUX1: virtual core network multiplexing-separation function 

TR01 : external network-side transceiver 

TR02: core network-side transceiver 

AMUXIa: virtual access network multiplexing/separation function 
TR03a: core network-side transceiver 
TR04a; external network-side transceiver 
ANGa; access network gateway (a) 

VAGWna: virtual access network gateway (a) for external network (n) 

VAGWSa: virtual access network gateway (a) for control/management 

ENTn: communication entity to home network (n) 

TAUTH2: terminal authentication function (mobile terminal) 

SMUX: session multiplexing/separation function 

CHMUX1: channel multiplexing/separation function (mobile terminal) 

PAUTH1 : packet authentication function (mobile terminal) 

TR05: radio transceiver (mobile terminal) 

TCH: communication channel (mobile terminal) 
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CCH: authentication channel (mobile terminal) 

TAUTH1 : terminal authentication function 

MAPI: session-external network mapping function 

SMT1: session information management table 

APM1: access point control/management function 

AMUX2a: virtual access network multiplexing/separation function 

HOF1: session information handover function 

PAUTH2: packet authentication function 

CHMUX2: channel multiplexing/separation function 

TR06a: access network-side transceiver 

TR07a: radio transceiver 

EDEC1: external network determination function 

TAUTH: terminal authentication function 

HASC1: home network authentication server communication function 
CMUXM: virtual core network multiplexing/separation function 
TR08: transceiver 

LMA1: local mobility management node 
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Fig. 2 
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Fig. 4 
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Fig. 6 
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Fig. 11 
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ABSTRACT 

[Document Name] Abstract 
[Abstract] 

[Problems] A mobile communication method for realizing an improvement 
in the efficiency of circuit use when implementing communication between mobile 
terminals will be provided. 

[Means to solve problems] A mobile terminal is provided with means for 
setting a session with an access point of a mobile communication network for the 
network that is wanted to connect. The mobile communication network is 
provided with means for multiplexing variety networks using virtual network 
technology. The access point is provided with means for connecting the session 
that has been set by the mobile terminal to the corresponding virtual network and 
means for transmitting the information of the session that has been set by the 
mobile terminal to a new access point from the current access point, when the 
mobile terminal moves to the jurisdiction of new access point. 

[Selected Figure of the Drawings] Fig. 1 
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